MIB-ITrace-CP: An Improvement of ICMP-Based Traceback Efficiency in Network Forensic Analysis

  • Bo-Chao Cheng
  • Guo-Tan Liao
  • Ching-Kai Lin
  • Shih-Chun Hsu
  • Ping-Hai Hsu
  • Jong Hyuk Park
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7513)


A denial-of-service (DoS) / distributed-denial-of-service (DDoS) attack may result in rapid resource depletion along the attack path. For stepping-stone and masquerading techniques typically used in DoS/DDoS attacks such as internet protocol (IP) or Media Access Control (MAC) address spoofing, tracing the intrusion back to the true attacker becomes a challenging task for network security engineers. Although the Internet Engineer Task Force (IETF) has proposed an Internet Control Message Protocol (ICMP) based Traceback solution, it faces severe difficulties in practice in regard to justifying the interoperability of deployed routers as well as the correctness of Traceback with multiple attack paths. This research proposes a novel approach to embed the essence of a management information base (MIB) into iTrace messages, named MIB-ITrace-CP, in order to improve the accuracy and efficiency of the original ICMP-based Traceback. Through our implementations on a Testbed@TWISC platform, we validated our approach and demonstrated the feasibility of practical network forensics.


DoS Spoofing Forensics Traceback ITrace-CP 


  1. 1.
    US-CERT, Computer Forensics (2008),
  2. 2.
    Snoeren, A.C., Partridge, C., Sanchez, L.A., Jones, C.E., Tchakountio, F., Kent, S.T., Strayer, W.T.: Hash-Based IP Traceback. In: SIGCOMM 2001 (August 2001)Google Scholar
  3. 3.
    Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Network Support for IP Traceback. IEEE/ACM Transactions on Networking (TON) 9(3), 226–237 (2001)CrossRefGoogle Scholar
  4. 4.
    Bellovin, S., Leech, M., Taylor, T.: ICMP Traceback Messages. Internet Draft (February 2003),
  5. 5.
    Internet Engineer Task Force (IETF),
  6. 6.
    Lee, H.C.J., Thing, V.L.L., Xu, Y., Ma, M.: ICMP Traceback with Cumulative Path, An Efficient Solution for IP Traceback. In: 5th International Conference on Information and Communications Security, pp. 124–135 (October 2003)Google Scholar
  7. 7.
    Thing, V.L.L., Lee, H.C.J., Sloman, M., Zhou, J.: Enhanced ICMP Traceback with Cumulative Path. In: IEEE 61st Vehicular Technology Conference (VTC 2005-Spring), vol. 4, pp. 2415–2419 (2005)Google Scholar
  8. 8.
    Tsunoda, H., Tochiori, T., Waizumi, Y., Kato, N., Nemoto, Y.: Improving the Efficiency of DoS Traceback Based on the Enhanced ITrace-CP Method for Mobile Environment (Invited Paper). In: Third International Conference on Communications and Networking in China (ChinaCom 2008), pp. 680–685 (2008)Google Scholar
  9. 9.
    Mankin, A., Massey, D., Wu, C.L., Wu, S.F., Zhang, L.: On Design and Evaluation of Intention-Driven ICMP Traceback. In: IEEE Int’ 10th Conf. Computer Communications and Networks, pp. 159–165. IEEE CS Press (2001)Google Scholar
  10. 10.
    Izaddoost, A., Othman, M., Rasid, M.F.A.: Accurate ICMP Traceback Model under DoS/DDoS ATTACK. In: 15th International Conference on Advanced Computing and Communications (ADCOM 2007), pp. 441–446 (December 2007)Google Scholar
  11. 11.
    IEEE Draft Standard for Management Information Base (MIB) Definitions for Ethernet. P802.3.1/D3.0 (November 2010)Google Scholar
  12. 12.
    Testbed@TWISC, Network Emulation Testbed,

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Bo-Chao Cheng
    • 1
  • Guo-Tan Liao
    • 1
  • Ching-Kai Lin
    • 1
  • Shih-Chun Hsu
    • 1
  • Ping-Hai Hsu
    • 2
  • Jong Hyuk Park
    • 3
  1. 1.Dept. of Communications EngineeringNational Chung Cheng UniversityTaiwan
  2. 2.Information and Communications ResearchITRITaiwan
  3. 3.Dept. of Computer Science and EngineeringSeoulTechKorea

Personalised recommendations